9
CVSSv2

CVE-2021-22112

CVSSv4: NA | CVSSv3: 8.8 | CVSSv2: 9 | VMScore: 980 | EPSS: 0.00267 | KEV: Not Included
Published: 23/02/2021 Updated: 21/11/2024

Vulnerability Summary

Spring Security 5.4.x before 5.4.4, 5.3.x before 5.3.8.RELEASE, 5.2.x before 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

pivotal software spring security

vmware spring security

oracle communications element manager

oracle communications interactive session recorder 6.3

oracle communications interactive session recorder 6.4

oracle communications unified inventory management 7.4.1

oracle hospitality cruise shipboard property management system 20.1.0

oracle insurance policy administration 11.2.0

oracle insurance policy administration 11.3.0

oracle mysql enterprise monitor

Vendor Advisories

A security issue was found in Jenkins 2275 through 2278 (inclusive) that allows attackers with Job/Workspace permission to exploit this to switch their identity to SYSTEM, an internal user with all permissions The issue is caused by an embedded copy of Spring Security, which in version 543 and earlier has a vulnerability that unintentionally p ...

Mailing Lists

Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software The following releases contain fixes for security vulnerabilities: * Jenkins 2280 Summaries of the vulnerabilities are below More details, severity, and attribution can be found here: wwwjenkinsio/ ...

Github Repositories

Spring Security integration with Auth0 to secure your API with JWTs

Auth0 Spring Security for API Note As part of our ongoing commitment to best security practices, we have rotated the signing keys used to sign previous releases of this SDK As a result, new patch builds have been released using the new signing key Please upgrade at your earliest convenience While this change won't affect most developers, if you have implemented a

References

NVD-CWE-noinfohttps://nvd.nist.govhttps://github.com/auth0/auth0-spring-security-apihttp://seclists.org/oss-sec/2021/q1/166https://www.first.org/epsshttps://security.archlinux.org/CVE-2021-22112http://www.openwall.com/lists/oss-security/2021/02/19/7https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3Ehttps://tanzu.vmware.com/security/cve-2021-22112https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttp://www.openwall.com/lists/oss-security/2021/02/19/7https://lists.apache.org/thread.html/r163b3e4e39803882f5be05ee8606b2b9812920e196daa2a82997ce14%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r2cb05e499807900ba23e539643eead9c5f0652fd271f223f89da1804%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r37423ec7eea340e92a409452c35b649dce02fdc467f0b3f52086c177%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r3868207b967f926819fe3aa8d33f1666429be589bb4a62104a49f4e3%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r390783b3b1c59b978131ac08390bf77fbb3863270cbde59d5b0f5fde%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r413e380088c427f56102968df89ef2f336473e1b56b7d4b3a571a378%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/r89aa1b48a827f5641310305214547f1d6b2101971a49b624737c497f%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra53677224fe4f04c2599abc88032076faa18dc84b329cdeba85d4cfc%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/ra6389b1b82108a3b6bbcd22979f7665fd437c2a3408c9509a15a9ca1%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/redbd004a503b3520ae5746c2ab5e93fd7da807a8c128e60d2002cd9b%40%3Cissues.nifi.apache.org%3Ehttps://tanzu.vmware.com/security/cve-2021-22112https://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.html